ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett Academy • Lesson 34 • Investigating DeviceFileEvents

Investigating DeviceFileEvents in Microsoft Defender XDR

DeviceFileEvents records file activity occurring on endpoints protected by Microsoft Defender for Endpoint.

This table helps defenders investigate file creation, modification, deletion, downloads, archive files, scripts and suspicious payloads.

In this lesson, you will learn how to use DeviceFileEvents to follow file evidence, identify suspicious files and support Microsoft Defender XDR investigations.

Start Lesson 34 Back to Academy
Agent Foskett Academy lesson explaining DeviceFileEvents in Microsoft Defender XDR
Lesson overview

Learn how DeviceFileEvents helps defenders investigate file creation, deletion, downloads, archive files and suspicious payloads.

Review file activity
Identify suspicious files and paths
Follow file creation and deletion evidence
🎯 DeviceFileEvents helps reveal what appeared on the device.
Use it when an investigation needs downloaded files, payloads, scripts, archives, file modifications or deletion evidence.
Review Lesson 33 →

Why DeviceFileEvents matters

Many attacks eventually leave a file behind before the full incident becomes obvious.

A user may download a ZIP file, an executable may appear in Downloads, a script may be created, or ransomware may rapidly modify large numbers of files.

DeviceFileEvents helps defenders investigate those file events and connect file activity back to devices, users, folders and processes.
File names and pathsInvestigate file names, folder paths, extensions and locations across protected devices.
File actionsReview creation, modification, deletion and rename events that help explain what happened.
Payload evidenceIdentify downloaded executables, scripts, archives and suspicious files used during an attack.

Investigation scenario

Agent Foskett is investigating a workstation after a user reports opening a downloaded invoice archive.

The network activity is important, but the next question is simple: what file appeared on the device?

By querying DeviceFileEvents, the analyst can review downloads, suspicious file types, folder paths and file actions around the activity.

Step 1 — Review recent file activity

Start with recent DeviceFileEvents activity and focus on useful investigation fields.
devicefileevents-recent-file-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
DeviceFileEvents
| where Timestamp > ago(24h)
| project Timestamp, DeviceName, FileName, FolderPath, ActionType, SHA256
| order by Timestamp desc

Step 2 — Investigate executable files

Filter for executable files that may represent downloaded tools, malware payloads or unauthorised software.
devicefileevents-executable-files.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".exe"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType, SHA256
| order by Timestamp desc

Step 3 — Investigate the Downloads folder

Focus on user download locations where payloads, archives and suspicious attachments commonly appear.
devicefileevents-downloads-folder.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath contains "Downloads"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType, SHA256
| order by Timestamp desc

How DeviceFileEvents supports investigations

DeviceFileEvents does not just show that a file existed.

It can show the device, folder path, file name, action type, hash evidence and when the file activity occurred.
Device evidenceIdentify which endpoint recorded the file event and when the activity occurred.
File path evidenceReview FileName and FolderPath to understand where the file appeared or changed.
Action evidenceUse ActionType to understand whether the file was created, modified, renamed or deleted.

Step 4 — Find archive and disk image files

Archive and disk image files are common in phishing, malware delivery and initial access investigations.
devicefileevents-archive-files.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".zip"
    or FileName endswith ".rar"
    or FileName endswith ".7z"
    or FileName endswith ".iso"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType, SHA256
| order by Timestamp desc

Step 5 — Find script files

Script files can reveal staged activity, phishing payloads, automation abuse or attacker-created tooling.
devicefileevents-script-files.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".ps1"
    or FileName endswith ".vbs"
    or FileName endswith ".js"
    or FileName endswith ".bat"
| project Timestamp, DeviceName, FileName, FolderPath, ActionType, SHA256
| order by Timestamp desc

Common investigation uses

Malware downloadsTrack downloaded payloads, dropped executables and suspicious files appearing on endpoints.
ZIP and ISO filesReview archives and disk images commonly used to deliver payloads through phishing or fake invoices.
Ransomware investigationReview large volumes of file modification, rename or deletion events across impacted devices.

Common mistakes

Looking only at FileNameReview FolderPath, ActionType, SHA256 and device context as well.
Ignoring FolderPathA file name is more meaningful when you know exactly where the file appeared.
Ignoring the timelineFile activity should be reviewed alongside email, process and network evidence.

What you learned

DeviceFileEvents shows file evidenceYou learned how to review file creation, modification, deletion, downloads and suspicious file paths.
Payload evidence mattersYou learned how to investigate executables, archives, disk images and scripts.
ActionType reveals behaviourYou learned how file actions help explain whether a file was created, modified, renamed or deleted.
Next lesson: Investigating DeviceProcessEvents in Microsoft Defender XDR
Now that you can investigate file activity, the next step is following process creation, command lines and parent-child execution evidence.
Back to Academy →

Related Agent Foskett Academy lessons

Investigating DeviceNetworkEvents Review how defenders investigate remote IPs, domains, ports and outbound network activity.
Investigating EmailEvents Review how defenders investigate email delivery, sender evidence and suspicious messages.

Continue learning with Building Investigation Timelines, KQL Threat Hunting Guide and Microsoft Security.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Investigating DeviceFileEvents in Microsoft Defender XDR

Agent Foskett Academy Lesson 34 teaches defenders how to use DeviceFileEvents to investigate file creation, deletion, downloads, malware payloads and suspicious endpoint file activity.

Learn DeviceFileEvents for Microsoft Defender XDR hunting

This lesson explains how DeviceFileEvents supports Microsoft Defender XDR investigations by connecting device, file path, action type and payload evidence.